The Cyvers platform identified multiple suspicious transactions involving Dough Finance. They promptly reached out to the lending protocol Aave to assess any potential impact on its pools. Fortunately, Aave confirmed that its pools were not affected, though Dough Finance was severely impacted.
Details of the Attack
The attacker leveraged the zero-knowledge (ZK) protocol Railgun to carry out the theft, converting the stolen USD Coin (USDC) into Ether (ETH). The attacker amassed a total of 608 ETH, valued at around $1.8 million.
According to Web3 security provider Olympix, the exploit was due to unvalidated calldata within Dough Finance’s “ConnectorDeleverageParaswap” contract. Olympix stated, “The contract failed to properly check the data it received during flash loan calls, allowing the attacker to manipulate it to their advantage.” This vulnerability enabled the attacker to execute the flash loan attack and steal the funds.
Advice for Affected Users
Olympix noted that users who had deposited funds into the exploited contract might be affected by the hack. However, Aave pools remained untouched.
To reduce further risk, Olympix advised Dough Finance users to withdraw their funds to secure wallets immediately. They also urged users to stay alert for updates from the Dough Finance team and to avoid interacting with the protocol until the situation is resolved.